IA 


0016 


Managing  Information 
Security  Problems 


Clarence  Hoop 
Chief,  Plans,  P°licy  &  Integration 

Di  is  on 
DIS*  CISS 
Phone:  (703)  681-7988 
hoopc@ncr.disa. mil 


Form  SF298  Citation  Data 


Report  Date  Report  Type 

( "DD  MON  YYYY")  1  ~V| 

01011996  N/A 

Dates  Covered  (from...  to) 

("DD  MON  YYYY") 

Title  and  Subtitle 

Contract  or  Grant  Number 

Managing  mlormation  Security  Problems 

Program  Element  Number 

Authors 

Project  Number 

Task  Number 

Work  Unit  Number 

Performing  Organization  Name(s)  and  Address(es) 

DISA 

Performing  Organization 

Number(s) 

Sponsoring/Monitoring  Agency  Name(s)  and  Address(es) 

Monitoring  Agency  Acronym 

Monitoring  Agency  Report 

Number(s) 

Distribution/Availability  Statement 

Approved  for  public  release,  distribution  unlimited 

Supplementary  Notes 

Abstract 

Subject  Terms 

Document  Classification 

unclassified 

Classification  of  SF298 

unclassified 

Classification  of  Abstract 

unclassified 

Limitation  of  Abstract 

unlimited 

Number  of  Pages 

34 

REPORT  DOCUMENTATION  PAGE 

Form  Approved 

OMB  No.  074-0188 

Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  this  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1 21 5  Jefferson  Davis  Highway,  Suite  1 204,  Arlington,  VA 
22202-4302,  and  to  the  Office  of  Management  and  Budqet,  Paperwork  Reduction  Proiect  (0704-0188),  Washington,  DC  20503 

1.  AGENCY  USE  ONLY  (Leave  blank)  2.  REPORT  DATE  3.  REPORT  TYPE  AND  DATES  COVERED 

1/1/96  Briefina 

4.  TITLE  AND  SUBTITLE 

Managing  Information  Security  Problems 

5.  FUNDING  NUMBERS 

6.  AUTHOR(S) 

Clarence  Hoop 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

I  AT  AC 

Information  Assurance  Technology  Analysis 

Center 

3190  Fairview  Park  Drive 

Falls  Church  VA  22042 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING  /  MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

Defense  Technical  Information  Center 

DTIC-IA 

10.  SPONSORING  /  MONITORING 

AGENCY  REPORT  NUMBER 

8725  John  J.  Kingman  Rd,  Suite  944 
Ft.  Bel  voir,  VA  22060 

11.  SUPPLEMENTARY  NOTES 


12a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 


12b.  DISTRIBUTION  CODE 


A 


13.  ABSTRACT  (Maximum  200  Words) 

This  DISA  Briefing  discusses  the  topic  of  Managing  Information  Security  Problems.  The 
areas  the  briefing  covers  are:  The  operational  environment;  what  are  some  of  the  problems 
encountered;  what  is  happening  in  the  community  today  and  what  are  the  community  plans  for 
the  future.  It  addresses  the  issues  of  insider  threat,  external  threat,  how  to  cope  with 
the  threats,  use  of  firewalls  and  the  Defense  in  Depth  strategy. 


14.  SUBJECT  TERMS 


15.  NUMBER  OF  PAGES 


IA 


16.  PRICE  CODE 


17.  SECURITY  CLASSIFICATION 
OF  REPORT 


18.  SECURITY  CLASSIFICATION 
OF  THIS  PAGE 


19.  SECURITY  CLASSIFICATION 
OF  ABSTRACT 


20.  LIMITATION  OF  ABSTRACT 


Unclassified 


UNCLASSIFIED 


UNCLASSIFIED 


None 


Presentation  Outline 


Technology  Revolution 


DISN 

^  Transmission 
^  Command  &  Control 
^  Messaging 
^  Combat  Support 


Global 


'ISrjj§ 

a 


File  Server 

Workstation  Workstation 

■ 


Workstation  Workstation 


Bridge 


HH  Mm 


Work 


Station  WorL 


station 


Print  Server 


(Remote  LAN) 


Database 


File  Server 


Workstation? 


Workstation  ^r‘n*  Server  Workstation 


Print  Server  Workstation  Workstation 


VsiiNis  /  oerviue  i  Myenuy  /  r  oj-v 

Requirements 


C4I  for  the  Warrior 


DISA  INFOSEC  STRATEGY: 
Supporting  the  DIS£>  Mission 


- 

V 

+  111 

w  *  n 


Intruder  Technical  Knowledge 


high 


Technical 

Knowledge 

Required 


stealth 

diagnostics 
sniffers  . 


Tools 


sweepers 


back  doors 


exploiting  known 
vulnerabilities 


self  replicating 
code  ^ 


hijacking 

^sessions 


GUI 

packet 

spoofing 


disabling 

audits 


password 

cracking 


password 

guessing 


Attackers 


low  198O 


1985 


1990 


1995 


Intruders  Have  Been  Observed 


Destroying  data 

Destroying  software 

Modifying  Data 

Modifying  software 

Stealing  data 

Stealing  software 

Shutting  down 
hosts/networks 

Using  DoD  systems 
as  launch  points 


•sv\ 

//¥*  M****.  '"W 
( £  «fljv  x->  V 

n  y  i 

a  *  *  q 


Incidents  Reported  to  DISA/ASSIST 


Reported 

Incidents 


Malicious  Code  214 


>  ^ 

<5  >• 

5  ro 


Other  11 


Intrusions  ^ 


1996  Incident  Breakdown 


1996  -  (303)  ■  1995  -  (180) 


As  of  2400  hrs  23  May  96 


What  do  we  see  at  ASSIST? 


Tools  &  Techniques 

-  Telnet/ftp 

-  Password  Files/tftp/Crack 

-  Sendmail/smtp 

-  Sweepers 

-  finger 

-  Sniffer 

-  r*  commands 

-  IP  spoofing 

-  Rootkit 


What  do  we  see  at  ASSIST? 


Virus  Contenders 

-  Word  Marco  Virus 

-  Monkey 

-  Form 
-BUPT 

-  AntiExe 

-  Jack  the  Ripper 


Where  do  they  get  those  toys? 


Newsgroups 


Books 

Magazines 


FTP  Sites 
WEB  Pages 


An  Example  of  DoD  Functions  Affected 


Composite  Material  Research 

Structural  Research  on 
Ships/Planes 

Personnel  Management 
Services 

Ballistic  Weapons  Research 

R&D  on  Health  Sciences 

R&D  on  Ocean  Sciences 

Inventory  and  Property 
Accounting 

Organizational  Service 
Training 

Payroll  and  Business  Support 

Finite  Element  Analysis  of 
Submarine  Structures 


Mathematical  Simulations 

Supply  and  Maintenance 
Support  System 

Master  Clock  for  1/4  of  the 
WORLD 

Command  Tasker  System 

Mail  Hub  for  Post-wide 
Electronic  Mail 

Finance  Databases 

Procurement 

Scientific  Modeling  for 
Battlefield  Environment 

C3  Development 

Ocean  Surveillance 


Military  Health  Systems 

High  Performance 
Computing  Systems 

Supercomputer  Research 
Network 

Artificial  Intelligence 
Research 

Knowledge  Based 
Simulation 

Applied  Research  in 
Photonic  Technology 

Force  Level  Execution 

Battle  Management 
Decision  Aids 
(Presentation) 


INF°SEC  Functions 


Vulnerability 

Assessments 


Operational  Response 


Threat  Assessments 

Security  Management 
Oversight 


Security  Products 


Training  &  Education 
Awareness 


System  Security  Engineering 
Security  Standards 


Multi-Disciplined  Security 
Certification 


Compliance  &  Validation 


Lead  Security  Officers 


Classification  Management 


Demonstrations  & 
Exercises 


Multilevel  Security 


Incident  Response 


VISION  &  STRATEGY  FOR  DEFENSIVS  INFORMATION  WARFARS 


Establish  Teaming  Relationships,  leverage  work 
Cost  effective  fixes  for  critical  vulnerabilities, 


Provide  Standardized  Certificetion/ 
Accreditation  of  Dll, 


Reflect  IW-D  process  in 
every  program 


-vV- 


L£a&fe.4if 


mm 


DISA's  Multi-Disciplined 

Security  Process 


INFOSEC  Engineering, 
Integration 
&  DOD  MLS  Program 


Standardized  DOD 
Certification 


Integrated 
Operations, 
Monitoring, 
and  VAAP 


( 

K 


Threat/Vulnerability 
Assessments  and 
Tool  Development 


Policy  & 
■  Plans 


Education, 
Training  & 
Awareness 


INFOSEC  Technical  Services  Contract 


■  y  .**★**  ^-  s' 


Collaborative  Work 


Threat  &  Vulnerability 


Threat 

Assessments /  Vulnerability 

Assessments 


•  Technical  Vulnerabilities 

•  Operating  Systems 

•  Networking 

•  Applications 


Operating  Vulnerabi  Ties 

•  Detection 

•  Reporting 

•  Response 

System  Security  ManagementVulnerabilities 
User  Awareness 
Policy/Procedure  Adherence 


Linkage  between  Infrastructure  Networks 

•  Telecommunications 

•  Transportation 

•  Power 


Standard  Certification  Process 


m 

A. 


Current  O  erat^ons 


/ 


\ 


\ 


g™ 
cibt _ S 


fiS 


Vulnerability  Assessments 


Knase  i  -  Network  Sweep 

Identify  network  elements 
identify  common  vulnerabilities 
Phase  II  -  Vulnerabilities  Sweep 
Exploit  initial  vulnerabilities 
Gain  Access  to  Accounts 
Crack  passwords 
Phase  III  -  Security  Sweep 
Attain  Greater  Access 
install  Trojan  Horses 
Exploit  trusted  relationships 
Exploit  network  vulnerabilities 


Current  Focus  on  UNIX 
and  TCP/IP 


Vulnerability  Analysis  & 
Assistance  Program  Findings 


Based  on  77  assessments  on  38,726  Host  Computers: 


.  4.4%  of  DOD  unclassified  computers  tested  have  “easily”  exploitable  front 
doors 


.  65%  -  89%  of  DOD  unclassified  computers  tested  can  be  further  penetrated 
by  network  trusted  relationships  (not  an  indication  of  overall  health  of  Dll) 


.  96%  of  VAAP  penetrations  undetected  by 
host  administrators  and  users 

( 

.  73%  of  detected  penetrations  go 
unreported 


As  of  Oct  5, 1996 


Defense  in  Depth: 

Avoid  a  Single  Point  of  Failure 


Connecting  Lan:  Do  the 
Hosts  pass  the  Vulnerability 
Sweep? 


Firewalls: Do  they 

meet  the  security 
and  operational 

requirements? 


★  si 


*  o 


Defense  Intrusion  Analysis  and 
Monitoring  Desk  (DIAMOND) 


AJI-SH 

*★** 


Plannemi 


Intrusion  Detection 

Capability 


GCC 
RCC 
DMC; 

DCTF 
NIPRNet  Gateway 


Malicious  Code 
Data  Streams 
Unauthorized 


Estimate  100b  Suspect  Intrude 
Sessions  Every  24  Hours  on 
DISA’s  NID  System  Monitoring 
NIPRNet  Fixed  East  Gateway 


Incident  Summary 

Incident i  under  Investtgutfon  In  Mey96 

AnmNukk, 


validated 

Intrusions 


Vx 

\  ® 

PD  / 

/O  / 


INFOSEC  Engineering 
&  DOD  MLS  Program 


Network  Protection 


COl  Burden  On  User 


PHYSICAL: 


SIPRNET 


User's 
\  AIS* 


NIPRNET/Global  Internet 


Current  Security  Products 


Ops/Intel  Interface 


TS/SCILAN  Rl 

t: 


C2  Guard 


Two-Level 

Workstation 


Standard 
Mail  Guard 


* 


Tools:  How  Do  they  Fit  Together 


MVS 

PC 

Voice 

Video 

— . 

,  i  / 1 

'M 

A  MID  8 

Intruder  Detection 


!-\'r 


N 


. 


tWi'M 


SOFTWARE  INTEGRITY  a 

"■  .  .  ' 


AIMS 

Infrastructure  Management 
and 

System  Countermeasures 


I 


UNIX  MVS 


PC 


Voice 


Video 


P¥ 


W 


T 


,  *%< 

*1  •  V”;  jr*' 


-y4M 


.  MCDES  '$  M?.  . 

V irus  Dete ctionv  5^ 
and  Eradication 


V'^ 

}f>>- 


Automated  Infrastructure 
Management  System 


Managing  Vulnerability  Assessments: 
Integrated  Tools  &  Red  Teams 


INFOSEC  Education, 
Training  &Awareness 


Mission: 

•  Courseware  Development  and  Delivery 

•  INFOSEC  Awareness  Products 

•  INFOSEC  Professional  Development 


s*-  f* 

Navy  Air  Force  Marines 


INFOSEC  Technical  Services 

Contract 


.  Quick  reaction  contract  support  to  DOD  &  other 
Federal  Departments/Agencies 

•  Three  Contractor  Teams 

•  Areas  of  Support  Include: 

.  Engineering 
.  Architecture 
.  Certification,  evaluation  and  accreditation 

•  Vulnerability  assessment  tools  and  techniques 
.  Training  and  Awareness 


Summary:  The  Way  Ahead 


Interoperable 
Across  the  DoD 


Comprehensive, 


Strategy 


Information 

».  i  '  *y  »!-  ••  •  ;  '  '  > 

Assurance 


•  .  ”  ’  J  ■ 

i'MM . 

- 

■AfLI..:" 


-iM: 


Multi-Level 
Security 


Multifaceted  Challenge  --No  SINGLE  Solution 


